Kaspersky Lab's new federal subsidiary is among Microsoft other vendors, industry groups and service providers offering guidance on proposed federal guidelines governing the acquisition of cybersecurity software and services for critical infrastructure protection.
The organizations responded to the General Services Administration (GSA) and the Department of Defense, which sought guidance in how to implement recommendations on federal procurement changes in a report issued by a Joint Working Group to the Obama Administration in January. The group was established to identify ways to make the acquisition process agile enough to address dangerous threats following President Obama's Executive Order to bolster critical infrastructure protection.
The report outlines ways to increase government accountability into risk management practices at organizations that maintain critical infrastructure facilities. It recommends that the manufacturers of security products must meet a minimum set of security standards to protect sensitive data and reduce software vulnerabilities as a condition of being awarded a contract.
Kaspersky Government Security Solutions Inc., the newly formed federal subsidiary of Russian antivirus giant Kaspersky Lab and Milpitas, Calif.-based network security vendor FireEye were the two security vendors that offered specific guidance on the proposed changes. Business and technology industry associations are also weighing in on the proposed changes, including The Information Technology Industry Council, an organization that represents a number of industry heavyweights including Dell, Hewlett-Packard, and Symantec.
Hilary MacMillan, vice president and cybersecurity intelligence executive at Kaspersky Lab Government Security Solutions offered a number of specific changes to add a risk assessment process to high-risk acquisitions and incorporate the impact of vulnerabilities or threats that products or services are addressing. For example, best-of-breed products could be validated under a federal program to identifying weaknesses at the source code level, MacMillan said.
Procurement practices need to be able to adapt to a constantly changing threat landscape and threats that are increasingly defeating dated security defenses, said Orlie Yaniv, FireEye's director of government affairs and policy, in his comments on the changes. Federal agencies continue to use signature-based tools that don't address increasingly sophisticated tactics and techniques of attacks that target them, Yaniv said.
"We believe that agencies should have greater agility and flexibility in their procurement decisions, which will allow them to procure and deploy the advanced and innovative cybersecurity technologies that are necessary to address the evolving threat landscape," Yaniv said. "Given the risks presented by advanced cyber threat actors, low-cost technically acceptable procurements should be discouraged or prohibited in acquisitions deemed of higher risk."
NEXT: Changes May Become Significant Compliance Burden, Microsoft Warns